The document provides tips on using "Jedi mind tricks" to build successful application security programs. It discusses speaking the business language to gain executive buy-in, translating technical risks like vulnerabilities into monetary risks, and deriving an organization's expected monetary loss from applications risks. It also recommends getting the right stakeholders involved early, doing a security assessment to demonstrate real risks, and integrating the program into the SDLC and other processes.
Website attacks continue to prevail despite the best efforts of enterprises to fight them. Websites are an ongoing business concern and security must be assured all the time, not just at a point in time. And yet, most websites were exposed to at least one serious vulnerability every day of 2010, leaving valuable corporate and customer date at risk. Why?
In this report, Jeremiah will explore a new way to measure website security, Windows of Exposure, that tracks an organization’s current and historical website security posture. Window of Exposure is a useful combination of vulnerability prevalence, how long vulnerabilities take to get fixed, and the percentage of them that are remediated. By carefully tracking these metrics, an organization can determine where resources would be best invested.
Using data from WhiteHat’s 11th Website Security Statistics Report, based on assessments of over 3,000 websites, Grossman will reveal the most secure (and insecure) vertical markets and the Windows of Exposure of each. Find out how your industry ranks, and the top ten vulnerabilities plaguing your peers. Learn how to determine which metrics are critical to increasing their remediation rates, thereby limiting their Window of Exposure. The good news is that companies that take this approach are increasing remediation rates by 5 percent per year.
Maximize Computer Security With Limited RessourcesSecunia
Presentation from Stefan Frei on how patches are an effective method to escape the arms race with cybercriminals. The majority of vulnerabilities have patches ready on the day of disclosure, which means that the right patch strategy is evident to maximize risk reduction.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009.
Keeping Data Safe on the Move
Companies are rushing headlong to develop applications for mobile customers who frequent app stores for Android, Apple and BlackBerry devices. But amid the flurry, IT must maintain its secure software development lifecycle process,
including client-side, transport and Web application
security strategies, or risk a black eye.
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsPrecisely
The most effective approach to cybersecurity is having multiple layers of defense mechanisms deployed to protect your systems. This is commonly referred to as “Defense in Depth”.
Because your IBM i holds data that is vital to your business, implementing multiple IBM i technologies that will help prevent or detect an accidental error or malicious behavior is essential.
Watch our on-demand webinar where Carol Woodbury of DXR Security discusses three of the current real-world issues facing organizations today and how layering multiple security technologies can protect your data and avoid business disruptions.
Register to hear about:
• The benefits of implementing defense in depth
• Determining the value and risk level of your data
• Developing a plan to implement as many layers as needed to appropriately reduce risk
Website attacks continue to prevail despite the best efforts of enterprises to fight them. Websites are an ongoing business concern and security must be assured all the time, not just at a point in time. And yet, most websites were exposed to at least one serious vulnerability every day of 2010, leaving valuable corporate and customer date at risk. Why?
In this report, Jeremiah will explore a new way to measure website security, Windows of Exposure, that tracks an organization’s current and historical website security posture. Window of Exposure is a useful combination of vulnerability prevalence, how long vulnerabilities take to get fixed, and the percentage of them that are remediated. By carefully tracking these metrics, an organization can determine where resources would be best invested.
Using data from WhiteHat’s 11th Website Security Statistics Report, based on assessments of over 3,000 websites, Grossman will reveal the most secure (and insecure) vertical markets and the Windows of Exposure of each. Find out how your industry ranks, and the top ten vulnerabilities plaguing your peers. Learn how to determine which metrics are critical to increasing their remediation rates, thereby limiting their Window of Exposure. The good news is that companies that take this approach are increasing remediation rates by 5 percent per year.
Maximize Computer Security With Limited RessourcesSecunia
Presentation from Stefan Frei on how patches are an effective method to escape the arms race with cybercriminals. The majority of vulnerabilities have patches ready on the day of disclosure, which means that the right patch strategy is evident to maximize risk reduction.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009.
Keeping Data Safe on the Move
Companies are rushing headlong to develop applications for mobile customers who frequent app stores for Android, Apple and BlackBerry devices. But amid the flurry, IT must maintain its secure software development lifecycle process,
including client-side, transport and Web application
security strategies, or risk a black eye.
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsPrecisely
The most effective approach to cybersecurity is having multiple layers of defense mechanisms deployed to protect your systems. This is commonly referred to as “Defense in Depth”.
Because your IBM i holds data that is vital to your business, implementing multiple IBM i technologies that will help prevent or detect an accidental error or malicious behavior is essential.
Watch our on-demand webinar where Carol Woodbury of DXR Security discusses three of the current real-world issues facing organizations today and how layering multiple security technologies can protect your data and avoid business disruptions.
Register to hear about:
• The benefits of implementing defense in depth
• Determining the value and risk level of your data
• Developing a plan to implement as many layers as needed to appropriately reduce risk
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Review on mobile threats and detection techniquesijdpsjournal
Since last-decade, smart-phones have gained widespread usage. Mobile devices store personal details
such as contacts and text messages. Due to this extensive growth, smart-phones are attracted towards
cyber-criminals. In this research work, we have done a systematic review of the terms related to malware
detection algorithms and have also summarized behavioral description of some known mobile malwares
in tabular form. After careful solicitation of all the possible methods and algorithms for detection of
mobile-based malwares, we give some recommendations for designing future malware detection algorithm
by considering computational complexity and detection ration of mobile malwares.
BSidesLondon 20th April 2011- @Jimmy Blake
-----------------------------------------------------------------
The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks?
---- for more about Jimmy
jimmyblake.com
BSidesLondon 20th April 2011 - Rory Mccune (@raesene) -----------
"Penetration testing" has become a staple of a the security programmes of a lot of companies around the world and particularly in the UK. Unfortunately in most cases it's poorly understood, the value for customers is minimal and it bears absolutely no resemblence to what a modern attacker would do.
So it's time for it to die. ------ for more info about Rory Mccune go to www.7elements.co.uk
BSidesLondon 20th April 2011 - Xavier Mertens (@xme)
========================
Your IT infrastructure generates thousands(millions?) of events a day. They are stored in several places under multiple forms and contain a lot of very interesting information. Using free tools, This presentation will give you some ideas how to properly manage this continuous flow of information and how to make them more valuable.
for more about Xavier
http://blog.rootshell.be
BSidesLondon 20th April 2011 - @wickedclownuk
---------------------------------------------------
Lots of companies are using RDP to support their external users. The administrators lock down the servers via group policy believing it is all secure, I will demostrate how you can instantly bypass group policy and how to escalate your privileges with the use of Metasploit.
---f
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Review on mobile threats and detection techniquesijdpsjournal
Since last-decade, smart-phones have gained widespread usage. Mobile devices store personal details
such as contacts and text messages. Due to this extensive growth, smart-phones are attracted towards
cyber-criminals. In this research work, we have done a systematic review of the terms related to malware
detection algorithms and have also summarized behavioral description of some known mobile malwares
in tabular form. After careful solicitation of all the possible methods and algorithms for detection of
mobile-based malwares, we give some recommendations for designing future malware detection algorithm
by considering computational complexity and detection ration of mobile malwares.
BSidesLondon 20th April 2011- @Jimmy Blake
-----------------------------------------------------------------
The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks?
---- for more about Jimmy
jimmyblake.com
BSidesLondon 20th April 2011 - Rory Mccune (@raesene) -----------
"Penetration testing" has become a staple of a the security programmes of a lot of companies around the world and particularly in the UK. Unfortunately in most cases it's poorly understood, the value for customers is minimal and it bears absolutely no resemblence to what a modern attacker would do.
So it's time for it to die. ------ for more info about Rory Mccune go to www.7elements.co.uk
BSidesLondon 20th April 2011 - Xavier Mertens (@xme)
========================
Your IT infrastructure generates thousands(millions?) of events a day. They are stored in several places under multiple forms and contain a lot of very interesting information. Using free tools, This presentation will give you some ideas how to properly manage this continuous flow of information and how to make them more valuable.
for more about Xavier
http://blog.rootshell.be
BSidesLondon 20th April 2011 - @wickedclownuk
---------------------------------------------------
Lots of companies are using RDP to support their external users. The administrators lock down the servers via group policy believing it is all secure, I will demostrate how you can instantly bypass group policy and how to escalate your privileges with the use of Metasploit.
---f
BSidesLondon 20th April 2011 - Manuel
--
This talk will show you the basics of reverse engineering Android apps with the ultimate goal of re-implementing the decryption routines of the Kobo Android reader to achieve interopability of other software with that closed interface.
--- for more about Manuel
http://sporkbomb.eu and Kobo http://sporkbomb.eu/kobopier/
BSidesLondon 20th April 2011 - David Rook (@securityninja)
-----------------------
This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio.
---- for more about David go to
http://www.securityninja.co.uk/
---- for more about Agnito go to
http://sourceforge.net/projects/agnitiotool/
1A Lundberg Sellberg Citizen Services - Sweden EHiN 2014IKT-Norge
Nina Sellberg
Adjunct professor in eHealth, Karolinska Institute, R&D eHealth, Stockholm
Citizen Services - Sweden
Innbyggertjenester - Sverige
EHiN 2014, IKT-Norge og HOD
IT and Sustainability: New Strategies for Reducing Carbon Emissions and Reso...Jeffrey Funk
This paper describes how rapid rates of improvement in smart phones, telecommunication systems and other forms of IT enable solutions for sustainability and how this provides opportunities for the fields of telecommunication and information systems. While reports from the Intergovernmental Panel on Climate Change focuses on technologies with rates of improvement less than 5% per year, most types of information technologies are experiencing annual rates of improvement that exceed 30% per year. These rapid rates of improvement are changing the economics of many activities of which this paper describes four examples in transportation. The paper concludes by discussing challenges for universities and in particular for the fields of telecommunications and information systems.
ALE has offices all over the world and carries out remarkable projects in countries as far apart as the US, Indonesia, South Africa and Azerbaijan. Yannick Sel, one of the company’s youngest employees, will share his story on how he got into the field and why he has a passion for the specialized transportation industry.
Speaker: Yannick Sel, ALE
Gamma Piu este un cunoscut producator italian de aparatura profesionala pentru coafor, mai exact uscatoare profesionale pentru par, placi profesionale de indreptat parul, ondulatoare profesionale pentru par si accesorii pentru aceste aparate. Calitatea şi performanţa sunt întotdeauna modul de viaţă al acestui producator.
Win more listings like a boss. Less Blah Blah More Ah Ha success strategies...Ken Brand
These are some of the ideas I share in the Listings Workshop. Of course there's explanation, samples, stories, questions and answers too. If I can be helpful - Ken Brand 832-797-1779
The Role of Application Control in a Zero-Day RealityLumension
With end users often downloading unwanted and unknown applications, more than 1.6 million new malware signatures appearing every month and a rising tide of zero-day attacks, there is more risk to your systems and information than ever before.
Find out:
* How to defend against zero-day threats - without waiting for the latest anti-virus signatures
* Why application control / whitelisting should be a central component of your security program
* How application control has evolved to enforce effective security in dynamic environments
Microsoft has announced the BlueKeep vulnerability, a wormable Remote Desktop vulnerability that has a high potential of being exploited in legacy operating systems.
Be warned, this vulnerability can be exploited remotely with no authentication required. Protect yourself from what people are calling the next WannaCry.
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...Lumension
Today, more than 1.6 million new malware signatures are identified each month. And more organizations are falling prey to "zero-day" attacks - malware for which an anti-virus signature does not exist. It’s no surprise that roughly half of the organizations surveyed in a 2010 Ponemon Institute study reported an increase in their IT operating expenses - a main driver of that cost increase was malware. Traditional anti-virus simply can't keep up in the malware arms race and relying on it as your primary defense will prove costly.
In this webcast, Paul Henry, security and forensics expert, and Chris Merritt, Director of Solution Marketing with Lumension, will examine:
* The true cost of anti-virus in terms of PC performance, network bandwidth, IT helpdesk costs, prevention of malware and more
* Why application whitelisting is a better approach to defend against rising targeted attacks
* How application whitelisting has evolved to provide a new level of intelligence that delivers more effective security and necessary flexibility to improve productivity - in even rapidly changing endpoint environments
Presentacion realizada en Argentina y Paraguay Durante Marzo 2014.
En Argentina por Faustino Sanchez. En Paraguay por Santiago Cavanna.
Trata sobre el problema de la presencia de vulnerabilidades en aplicaciones, el impacto que tiene en las organizaciones y la forma que se encuentra disponible para descubrirlas en forma temprana y facilitar su remediacion
Links disponibles en
http://www.santiagocavanna.com/segurinfo-2014-el-costo-oculto-de-las-aplicaciones-vulnerables/
What? Why? Who? How? Of Application Security Testing TEST Huddle
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O'Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
As cyber attacks have matured and become more complex over the last number of years, the objective of most attacks has not changed: compromise and collect user credentials. This session will explore the changing cybersecurity landscape and how managing identity – both in the enterprise as well as across 3rd party applications - is becoming job #1 in managing your organization’s risk.
BSidesLondon 20th April 2011 - Chris John Riley
Chris Sumner, Arron "finux" Finnon and Frank Breedijk
---------------
Why shouting into the security echo chamber does no good! Set to interpretive YMCA dance....
--------------- for more information about the presenters follow them in twitter, @ChrisJohnRiley
TheSuggmeister, @seccubus,@F1nux
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
BSidesLondon 20th April 2011 - Soraya Viloria Montes de Oca
------------
Successful IT projects are not always security successful. The question of How much time do you ever spend at understanding the business needs, the data that the system is handling before you propose security controls? is asked...and discussed.
------- for more about Iggy follow @GeekChickUK
BSidesLondon 20th April 2011 - Jim Shields (@JimShout) Note: watch this video before the presentation http://vimeo.com/22580155
---------------------------
addressing the human factor with Jim from Twist & Shout, Jim not only shared his technical expertise recording the BSides sessions but also share some useful insight of "user awareness" ------ due to copyright issues, many of the images/clips cannot be shown
------------ for more about Jim
www.twistandshout.co.uk
BSidesLondon 20th April 2011 - Steve Lord (@stevelord)
----------------------------------------------------------------
The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session.
---- for more about Steve
http://www.mandalorian.com
BSidesLondon 20th April 2011 - Justin Clarke (@connectjunkie)
----------------------------------------------------------------------
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited.
--- for more about Justin
http://www.gdssecurity.com
BSidesLondon 20Th April 2011 - Arron "finux" Finnon
---------------------------------------------------------------------
The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research.
----- for more about @F1nux go to www.finux.co.uk
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Elevating Tactical DDD Patterns Through Object Calisthenics
Jedi mind tricks for building application security programs
1. David Rook
Jedi mind tricks for building application
security programs
SecurityBSides, London
2. if (slide == introduction)
System.out.println("I’m David Rook");
• Security Analyst, Realex Payments, Ireland
CISSP, CISA, GCIH and many other acronyms
• Security Ninja (www.securityninja.co.uk)
• Speaker at international security conferences
• Nominated for multiple blog awards
• A mentor in the InfoSecMentors project
• Developed and released Agnitio
3. Agenda
• Using Jedi mind tricks on your developers
• s/Application Security Alien/Business Language/i;
4. Using Jedi mind tricks on developers
• Most developers actually want to write secure code
• You need to take ownership of the app sec problems with them
• Developers generally like producing quality code, use this!
• They want security knowledge with good practices and tools
5. Using Jedi mind tricks on developers
Jim Bird, blog comment:
“I’m a software guy. I don’t need a meme. I need practices and tools that
work, that help me get software out the door, better software that is more
reliable and more secure.”
http://securosis.com/blog/good-programming-practices-vs.-rugged-development
6. Using Jedi mind tricks on developers
• How you can help developers?
• Help them understand how to write secure code
• Own application security problems with them
• Don’t dictate! Speak, listen, learn and improve things
11. Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
• We present findings in weird formats with a side order of FUD
12. Application Security Alien
• I will use CVSS as an example
• Let’s pretend we are analysing a SQL Injection vulnerability
16. Application Security Alien
CVSS Environmental Equation
EnvironmentalScore=(AdjustedTemporal+(10-
AdjustedTemporal)*CollateralDamagePotential) *
TargetDistributionAdjustedTemporal = TemporalScore recomputed with
the Impact sub-equation replaced with the following AdjustedImpact
equation.AdjustedImpact = Min(10, 10.41*(1-(1-
ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-
AvailImpact*AvailReq)))
17.
18. Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
• We present findings in weird formats with a side order of FUD
• We feel security should just happen without having to justify it
19. The Business Language
• We need to speak the business language
• We need to talk about things the business cares about
• We need to present findings in a format that makes sense
20. The Business Language
• How does your business score risks?
• Let’s pretend we are analysing a SQL Injection vulnerability
21. The Business Language
A simple (common!) risk equation
Probability*Impact
Probability Impact Score Appetite
3 5 15 12
22. The Business Language
• We need to speak the business language
• We need to talk about things the business cares about
• Present findings in a format that makes sense to the business
• Application security is no exception when it comes to resourcing
23. Jedi mind tricks and alien translations
• Apply the KISS principle to everything you do
• Keep everything as simple as possible, complexity doesn’t help
• Understand what developers want and need to write secure code
• Work with the business and use their language and formats
25. Jedi mind tricks
for building
application
security programs
Chris Wysopal
CTO & Co-founder
26. The formative years… Padawan?
It was all about attack.
Early web app testing: Lotus Domino, Cold Fusion
Windows Security: Netcat for Windows, L0phtCrack
Early disclosure policies: RFPolicy, L0pht Advisories
27. Now with professional PR team…
Time to help the defensive side
Led @stake research team
@stake application security consultant
Published Art of Software Security Testing
Veracode CTO and Co-Founder
28. Why do we need executive buy in?
Application security programs will require
developer training
Application security programs will require
tools/services
Application security programs will impact
delivery schedules
Application security cannot be “voluntary”
Authority
30. If money is the language of execs what do they
say?
How do I grow my top line?
How do I lower costs?
How do I mitigate risk?
Talk in terms of business risk and
use monetary terms when
possible.
Then we can we can speak the
same language.
31. Different types of risk
Legal risk – Legal costs, settlement
costs, fines
Compliance risk – fines, lost business
Brand risk – lost business
Security risk - ????
32. Translate technical risk to monetary risk
What is the monetary risk from vulnerabilities in your application
portfolio?
Monetary risk is your expected loss; derived from your
vulnerabilities, your breach cost, threat space data
Your Threat
Your Breach Space
Vulnerabilities Cost Data
32
33. Your Breach Cost
Use cost analysis from your earlier breaches
Use breach cost from public sources
– Example: April 2010 Ponemon Institute Report
(US Dollars)
Detection & Notification Ex-Post Lost Total
Escalation Response Business
Average 264,208 500,321 1,514,819 4,472,030 6,751,451
Per-capita 8 15 46 135 204
Ponemon average and per-capita US breach cost (US Dollars)
Comm Consu Educat Energ Financi Health Hotel Manu Media Pharma Researc Retail Serv Tech Transp
unicati mer ion y al care & facturin h ices nology ortatio
on Leisur g n
e
209 159 203 237 294 153 136 149 310 266 133 256 192 121
248
Ponemon per-capita data by US industry sector (US Dollars)
33
34. Threat Space Data
Error Attack Type Hacking Root Cause (Vulnerability
Physical Category)
Misuse Remote File Inclusion
Social
Insufficient Authentication
Hacking
Command Injection
Malware
Backdoor/Control Channel
0% 20% 40% 60% 0% 10% 20% 30% 40%
40% of data breaches are due to hacking Top 7 application vulnerability categories
Source: Verizon 2010 Data Breach Investigations Report
62% of organizations experienced breaches in
critical applications in 12 month period
Source: Forrester 2009 Application Risk Management and Business Survey
34
35. How to Derive Your Expected Loss
expected loss vulnerability category = f
(
% of orgs breached X
breach cost X
breach likelihood from vuln. category )
Baseline expected loss for your organization due to SQL Injection*
( )
62% X
expected loss Sql injection = f $248 X 100,00 X
25%
*If your SQL Injection prevalence is similar to average SQL Injection prevalence,
assumes 100,000 records
35
36. Monetary Risk Derived From Relative Prevalence
Vulnerability Breach Baseline Average % of Your % of Your Monetary
Category Likelihoo Expected Apps Affected1 Apps Risk
d loss Affected2
Backdoor/ 29% $4,459,040 8% 15% higher
Control
Channel
SQL Injections 25% 3,844,000 24% 10% lower
Command 14% 2,152,640 7% 6% same
Injection
XSS 9% 1,383,840 34% 5% lower
Insufficient 7% 1,076,320 5% 2% lower
Authentication
Insufficient 7% 1,076,320 7% 7% same
Authorization
Remote File 2% 307,520 <1% <1% same
Inclusion
Assume 100,000 customer records.
For SQLi the expected loss is:
36 62% * $248 * 100,000 * 25% = $3,844,000
1. Veracode 2010 State of Software Security Report, Vol. 2
2. De-identified financial service company data from Veracode industry data
37. Executives want…
An organizational wide view. Am I lowering overall
application risk?
– Internal code
– Outsourced
– Vendor supplied
– Open source
A program that has achievable objectives. What am I
getting for the money I am spending?
A program that is measurable: metrics and reporting.
Am I marching toward the objectives?
– Which dev teams, outsourcers are performing well?
– How is my organization doing relative to my peers?
38. Tips to make the program successful
The right people have to understand what is
going to happen before you start
Do a real world pen test or assessment of a
project. Demonstrate relevant risk.
Integrate into existing processes
SDLC
Procurement/legal
M&A
39. Q&A
Speaker Contact
Information:
Chris Wysopal
(cwysopal@veracode.com)
Twitter: @WeldPond
David Rook
www.securityninja.co.uk
@securityninja
/realexninja
/securityninja
39
/realexninja